Commit 0271ae81 authored by Giannis Kopanas's avatar Giannis Kopanas
Browse files

Merge branch 'review-decision-page-authsome' into 'master'

Review decision page authsome

See merge request !208
parents 3f08fc54 025d2acd
Pipeline #7543 passed with stages
in 2 minutes and 48 seconds
......@@ -13,7 +13,7 @@ class XpubCollabraMode {
constructor(userId, operation, object, context) {
this.userId = userId
this.operation = XpubCollabraMode.mapOperation(operation)
this.object = object
this.object = object.current ? object.current : object
this.context = context
}
......@@ -254,12 +254,17 @@ class XpubCollabraMode {
if (!this.isAuthenticated()) {
return false
}
const fragment = this.object
let permission = this.isAuthor(fragment)
permission = permission ? true : this.isAssignedReviewerEditor(fragment)
permission = permission ? true : this.isAssignedManagingEditor(fragment)
// Caveat: this means every logged-in user can read every fragment (but needs its UUID)
// Ideally we'd check if the fragment (version) belongs to a collection (project)
// where the user is a member of a team with the appropriate rights. However there is no
// link from a fragment back to a collection at this point. Something to keep in mind!
return true
return permission
}
/**
......@@ -444,6 +449,7 @@ class XpubCollabraMode {
(await this.isAssignedHandlingEditor(this.object)) ||
(await this.isAssignedSeniorEditor(this.object)) ||
(await this.isAssignedReviewerEditor(this.object))
return permission
}
......@@ -524,6 +530,14 @@ class XpubCollabraMode {
return this.checkPageSubmit(params)
}
if (path === '/projects/:project/versions/:version/review') {
return this.checkPageReview(params)
}
if (path === '/projects/:project/versions/:version/decision/:project') {
return this.checkPageDecision(params)
}
return true
}
......@@ -547,6 +561,25 @@ class XpubCollabraMode {
return permission
}
async checkPageReview(params) {
const collection = this.context.models.Collection.find(params.project)
const version = this.context.models.Fragment.find(params.version)
if (this.isAuthor(collection)) return false
let permission = await this.checkTeamMembers(
['isAssignedSeniorEditor', 'isAssignedHandlingEditor'],
collection,
)
// set object to Fragment so can validate on canReadFragment
this.object = version
permission = permission ? true : await this.canReadFragment()
return permission
}
async checkTeamMembers(team, object) {
const permission = await Promise.all(team.map(t => this[t](object)))
return permission.includes(true)
......@@ -574,32 +607,32 @@ module.exports = {
GET: (userId, operation, object, context) => {
const mode = new XpubCollabraMode(userId, operation, object, context)
// GET /api/collections
if (object && object.path === '/collections') {
if (mode.object && mode.object.path === '/collections') {
return mode.canListCollections()
}
// GET /api/users
if (object && object.path === '/users') {
if (mode.object && mode.object.path === '/users') {
return mode.canListUsers()
}
// GET /api/fragments
if (object && object.path === '/fragments') {
if (mode.object && mode.object.path === '/fragments') {
return mode.canListFragments()
}
// GET /api/teams
if (object && object.path === '/teams') {
if (mode.object && mode.object.path === '/teams') {
return mode.canListTeams()
}
// GET /api/collection
if (object && object.type === 'collection') {
if (mode.object && mode.object.type === 'collection') {
return mode.canReadCollection()
}
// GET /api/fragment
if (object && object.type === 'fragment') {
if (mode.object && mode.object.type === 'fragment') {
return mode.canReadFragment()
}
......@@ -609,7 +642,7 @@ module.exports = {
}
// GET /api/user
if (object && object.type === 'user') {
if (mode.object && mode.object.type === 'user') {
return mode.canReadUser()
}
......@@ -619,27 +652,30 @@ module.exports = {
const mode = new XpubCollabraMode(userId, operation, object, context)
// POST /api/collections
if (object && object.path === '/collections') {
if (mode.object && mode.object.path === '/collections') {
return mode.canCreateCollection()
}
// POST /api/users
if (object && object.path === '/users') {
if (mode.object && mode.object.path === '/users') {
return mode.canCreateUser()
}
// POST /api/fragments
if (object && object.path === '/fragments') {
if (mode.object && mode.object.path === '/fragments') {
return mode.canCreateFragment()
}
// POST /api/collections/:collectionId/fragments
if (object && object.path === '/collections/:collectionId/fragments') {
if (
mode.object &&
mode.object.path === '/collections/:collectionId/fragments'
) {
return mode.canCreateFragmentInACollection()
}
// POST /api/teams
if (object && object.path === '/teams') {
if (mode.object && mode.object.path === '/teams') {
return mode.canCreateTeam()
}
......@@ -649,27 +685,27 @@ module.exports = {
const mode = new XpubCollabraMode(userId, operation, object, context)
// PATCH /api/make-invitation
if (object && object.path === '/make-invitation') {
if (mode.object && mode.object.path === '/make-invitation') {
return mode.canMakeInvitation()
}
// PATCH /api/collections/:id
if (object && object.type === 'collection') {
if (mode.object && mode.object.type === 'collection') {
return mode.canUpdateCollection()
}
// PATCH /api/users/:id
if (object && object.type === 'user') {
if (mode.object && mode.object.type === 'user') {
return mode.canUpdateUser()
}
// PATCH /api/fragments/:id
if (object && object.type === 'fragment') {
if (mode.object && mode.object.type === 'fragment') {
return mode.canUpdateFragment()
}
// PATCH /api/teams/:id
if (object && object.type === 'team') {
if (mode.object && mode.object.type === 'team') {
return mode.canUpdateTeam()
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment